A US cybersecurity task force has advised IT suppliers to improve default security settings in their products.
The National Cyber Security Partnership Task Force's Technical Standards and Common Criteria committee released its recommendations yesterday, with the group of academics, government officials, IT suppliers and customers requesting stronger "out-of-the-box" security configurations and support of at least one configuration profile that provides a baseline security level.
The 104-page committee report, available at http://www.cyberpartnership.org/TF4TechReport.pdf, is intended to put more pressure on suppliers about default security settings and raise awareness about best practices and security audits, said Mary Ann Davidson, chief security officer at Oracle and co-chairwoman of the committee.
The recommendations included:
- Suppliers should provide more substantive security recommendations, configuration checklists and best practices to customers;
- The US government, user groups and customers should encourage more independent security evaluations of IT products;
- The US government should help offset the costs of an IT supplier going through a Common Criteria security evaluation through tax credits or other methods;
- The US government should fund the development of code-scanning tools that detect flaws in software code.
However, many of the recommendations place the responsibility for cybersecurity on suppliers. "As an industry, we corporately need to do a better job of security infrastructure," Davidson said.
Davidson will take the recommendations, as well as others from NCSP, back to Oracle to see how her company can improve security.
"Most of us want to take it to the next level and show concrete progress," she said.
The National Cyber Security Partnership was established to develop shared strategies and programs to secure and enhance America's critical information infrastructure, following the release of the White House National Strategy to Secure Cyberspace in February 2003 and the National Cyber Security Summit in December.
The partnership is led by TechNet, the Business Software Alliance, the Information Technology Association of America and the US Chamber of Commerce.
Grant Gross writes for IDG News Service